Darkstat on Linux – a quick‑start guide for the web‑based traffic sniffer
If you’re tired of watching your bandwidth drain while the router’s LED blinks, Darkstat is a lightweight web interface that gives you instant insight into who’s using what. Below is how to pull it off on the most common distros and start spotting troublemakers in minutes.
Installing Darkstat
Debian/Ubuntu
sudo apt update sudo apt install darkstat
Debian’s package manager pulls a precompiled binary, so you skip compiling from source and avoid dependency headaches.
CentOS/RHEL 7‑8
sudo yum install epel-release sudo yum install darkstat
Fedora / RHEL 9+
sudo dnf install epel-next-release sudo dnf install darkstat
The EPEL repositories contain the up‑to‑date Darkstat build.
Tuning the configuration
Darkstat ships with /etc/darkstat.conf. Open it:
sudo nano /etc/darkstat.conf
Look for these lines and tweak them to match your network setup:
- INTERFACE="eth0" – set this to whatever interface you want to sniff.
If you forget, Darkstat will silently sit on eth0 even if your machine uses Wi‑Fi.
- PORT=6677 – the port on which the web UI listens.
You can pick any unused port; just remember it when you open a browser.
- MAX_LOG_SIZE=1024 – megabytes of log data kept before rotation.
If you’re running a home network, 1 GB is plenty.
After editing, restart the service:
sudo systemctl restart darkstat
Darkstat doesn’t auto‑reload config changes; you have to restart it.
Exposing the web UI
By default, Darkstat listens on localhost only. If you want external access, edit /etc/darkstat.conf again:
LISTEN="0.0.0.0"
Then reload or restart the service. Open a browser to http://your‑server:6677/. You’ll see a dashboard that shows total traffic per IP, per protocol, and the top talkers over time.
Using the interface
| Section | What you get | Why it matters |
|---|---|---|
| Overview | Total bytes in/out, packets, and active connections. | Spot sudden spikes—maybe a torrent or a backup script. |
| Top Talkers | A sortable list of IPs by data volume. | See if a single device (e.g., your smart fridge) is hogging the line. |
| Protocol Chart | Pie chart of TCP/UDP/etc. usage. | Check for unexpected UDP traffic—could be a rogue VPN or a DoS attempt. |
| Time Graph | Line plot of traffic over the past 24 hrs (or longer). | Notice daily peaks; align them with scheduled backups or streaming sessions. |
Real‑world tip: I once saw a home network where Darkstat flagged the smart thermostat as the second highest talker after my office laptop. After checking, the thermostat was pushing firmware updates to every device on the network—hence the mysterious data usage spike.
Keeping it tidy
Darkstat logs raw packets in /var/log/darkstat. If you’re running a server that stays up forever, you’ll want to rotate these logs:
sudo logrotate -f /etc/logrotate.d/darkstat
You can also set a cron job to clean old logs daily.
Quick sanity check
If Darkstat isn’t showing any traffic, confirm:
1. The interface is up and carrying packets (ip link show eth0).
2. No firewall rules are blocking inbound packets on the chosen port.
3. Your user is in the darkstat group (if you installed from source).
That’s it! Darkstat gives you a low‑overhead, web‑based window into your network traffic. Once you start spotting patterns, you’ll know exactly when to pause that backup or block an unwanted device. Happy sniffing, and remember: if something looks odd, investigate—your router is probably trying to tell you something.
